We need a new metaphor for…

…”Cyber-attack,” “cyber-war,” or anything similar. No need to pile on to the technical criticism of this LA Times story, which was appropriately Slashdotted. It does highlight the need for clearer thinking about how to deal with the borderless nature of ICT.

Does the presence of malware in a government system really constitute an “attack,” if said malware was “inadvertently loaded” via flash drive and had been circulating in the private sector for months? OK, I think that’s easy. The harder questions follow:

Has any government articulated how it would distinguish between an actual attack using ICT, and a criminal act? Does a state-sponsored scan of another government’s system – if you can prove it – constitute “legitimate” reconnaissance and intelligence gathering? How should states respond to each other’s activities, whether scans or actual penetrations? What constitutes an act of hostility? What happens when a state harbors (i.e., no extradition treaties) an individual malware producer?

Expect more media breathlessness – and more bad cyber-words – until questions like these get sorted out.

[…] 303,000 Google results tonight – to the point where it’s straining credibility, like other overused metaphors involving cyberspace and international goings-on, nefarious or otherwise. A few points for […]